Integration Misp using Filebeat

Elastic Stack Beats
1

Hi there,

I´m trying to integrate MISP using the documentation using filebeat but no go. I´ve tried both (Misp module and Threatintel module) and none of them gets into ELK Stack.

Follow the errors from filebeat journalctl:

{"log.level":"error","@timestamp":"2022-05-19T16:37:42.021-0300","log.logger":"input.httpjson-cursor","log.origin":{"file.name":"httpjson/request.go","file.line":353},"message":"error processing response: expected map but type is []interface {}","service.name":"filebeat","id":"CAF1EDC614DA8C15","input_source":"https://10.130.0.240/events/restSearch","input_url":"https://XX.XX.XX.XX/events/restSearch","ecs.version":"1.6.0"}

Can anyone help me on that?

Thanks for the attention.

2

Can u post ur config?

3

threatintel.yml:

- module: threatintel
  misp:
    enabled: true
	var.input: httpjson
	var.url: https://XX.XX.XX.XX/attributes/restSearch/last:15m
	var.api_token: REDACTED
    var.ssl.verification_mode: none
	var.interval: 5m
4

Hi @francescouk

in threatintel module you have to use events not attributes



- module: threatintel
  misp:
    enabled: true
    var.input: httpjson
    var.url: https://SERVER/events/restSearch
    var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z
    var.first_interval: 24h
    var.interval: 60m
5

I´ve tried that also and did not work. Will make the changes again and post the results here. :frowning:

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.